Embed Size (px)
Citation preview
Car Operating Systems
Ryan Benesky
The Beginning of Car Computers 1970s Was the beginning of the EPA and regulations to
clean up the environment. In the late 1970s car manufactures were under pressure to
increase fuel mileage and decrease pollution by the California Clean Air Act.
Manufactures moved towards Fuel injection based systems which require computers to control the system. Virtually all cars by the 1980s where fuel injected.
Electronic Control Unit (ECU)
An ECU is an embedded system that controls/monitors systems in a car.
Combination of ECUs is known as the cars computer. The cars “computer” is not one system but a large number
of small subsystems connected together by a network. Modern vehicles have up to 75+ ECUs.
Typical ECUs
Engine Control Module (ECM) – Determine parameters for an Internal combustion engine.
Electronic Stability Control (ESC) – Improves vehicle safety by preventing loss of control.
Anti-Lock Braking System (ABS) – Improves safety by preventing the brakes from locking.
The Engine Control Module ECM
Electronic Control Module
Controls the parameters of an internal combustion engine.
Has developed into a closed-loop system, feeds data back into the car to make decisions
Embedded System, resources are limited. Early systems entirely look-up table based. Current designs are able to compute many
parameters on-the-fly but there is still a few look up tables.
ECM Running Modes Open-loop : This is when the ECM is not using input
data from sensors. This occurs in certain circumstances where using
input data would not be beneficial. Such as: when the engine is cold, or wide open throttle.
Closed-loop: This uses post-combustion data to compute changes for pre-combustion parameters.
This change was implemented as the microprocessors got faster and EPA standards got tighter. Some use data from short period of time 1trip others keep track of data for months.
Some ECM Parameters Engine Load - Computed from Air Flow Rate into the engine and Intake
Manifold air pressure
Engine Speed - Reported by the Crankshaft Position Sensor
Coolant Temperature - Reported by the engine coolant sensor, a thermistor that varies its resistance according to the engine coolant temperature
Throttle Position - Throttle position sensor creates a voltage signal that varies in proportion to the throttle valve opening angle
Intake Air Temperature - Measured by another thermistor located in the Mass Air Flow Sensor unit
Battery Voltage - Battery voltage affects the speed at which the fuel injectors open and must be taken into account in computing the fuel injector pulse length, or injector open time
Oxygen Sensor - The oxygen density in the exhaust emissions is detected
and generates a control signal back to the ECU indicating the burned air/fuel ratio.
Sensors
The ECM uses specially designed sensors to obtain information.
ECM
http://www.motoiq.com/magazine_articles/articletype/articleview/articleid/1539/understanding-the-efi-process.aspx
Look-up Table
Using ECUs as Diagnostic tool
OBD-II – standard diagnostic testing. Diagnostic Problem – An error occurs but where
is really? Logging takes place in “trips,” an error may not
be presented to the driver until the same error has occurred for a number of trips.
OBD-II Diagnostic
http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/
Controller Area Network (CAN)
Wikipedia: Controller–area network (CAN or CAN-bus) is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other within a vehicle without a host computer.
Multi-master broadcast bus
Shared medium,
Any device can broadcast as long as the line is free
If two messages broadcast simultaneously, the message with the more-dominated id will propagate to each node and overwrite the message of the less dominate id.
Bit rates of up to 1Mbit/s are possible < 40m
Network types.
There is a myriad of ECUs operating in the car Some systems are very critical to the operation
of the car including driver safety. Such as the ECM, ABS, and TCM
Other systems such as the Radio, Door Locks, etc. These are not necessary for the operation of the car and are on a slower network.
Experimental Security Analysis of a Modern Automobile
cnslab.snu.ac.kr/twiki/bin/view/Main/Research
Modern ECUs
Drive-by-Wire Variable Control Transmissions Magnetic Dampers
autospeed.com.au/cms/title_Magnetic-Dampers/A_110995/article.html
Telematics
In the mid 1990's car companies started attaching powerful ECU's to the car.
Some with networking and GPS capabilities such as on-star.
Future Networking Infrastructure
VANET – Vehicular Ad-hoc Networks.
Security
Experimental Analysis of a Modern Automobile By: Joint Paper between researchers at University of
Washington and University of California San Diego. Paper highlighting what a malicious user could accomplish
if they could gain access to the car networks and computers.
Potential Vectors
Physical Access – A person can attach a module to the standard OBD-II port on any car.
Component can stay attached It is also possible to flash another module
from the port. Malicious component – A module (even the FM
radio) can be replaced by one with malicious firmware.
Network Access – Researchers identified no less than 5 networks on the test car.
CAN Security Broadcast – All packets are physically and logically
sent to all ECU's. Denial of Service – Priority based protocol allows
malicious packets to dominate the network. No Authentication – Packets are not authenticated, no
source information is stored in CAN packets. Ease of Access – Variety of tools available to access
components and change settings or even re-flash the component.
Poor Network Segregation – Car critical components need to be isolated but bridging the networks is easily accomplished.
CAN Security
ECU Security
ECU re-flashing – Car manufactures need the ability to re-flash the ECUs to perform maintenance.
ECUs are required to implement security features that only allow authorized personnel to re-flash the ECU
Diagnostic Abilities – ECUs are required to report (possible too much) information about the components
Communication Saftey – Manufactures don't follow standards that state ECUs must remain in a safe-state even if instructed to do otherwise.
Attack Methodology
Packet Sniffing – CarShark was used to monitor the CAN packets while components were cycled to determine information.
Fuzzing – CAN packets have a small valid packet range therefore randomly selecting packets can do a significant amount of damage.
Reverse-Engineering – Components were purchased from resellers and then dumped onto a debugging platform for reverse engineering.
ECU Security
Results
Results Cont.
Conclusions Car Computers are here to stay.
Infact, with many modern cars the computers have more control then the driver.
Plenty of new/cool work that can be done.
Open source ECU Projects Customization
Car Computer security is poor.
Today, for must users this does not pose a problem As communications infrastructure increases this
may pose a bigger problem Major problem is the lack of standards and the lack
of implementation of standards.
Sources/Links
Toyota Training Series http://www.autoshop101.com/autoshop15.html
Experimental Security Analysis of a Modern Automobile www.autosec.org/pubs/cars-oakland2010.pdf
DIY EFI
www.diyefi.org Understanding OBDII Engine Systems and Fuel Mixture Control
http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/ Recent blog by someone hacking there car (good CAN finding info)
http://marco.guardigli.it/2010/10/hacking-your-car.html
